IT Asset Management System

ABSTRACT

The system provides a method to automate the complex processes that occur at the end-of-life of IT hardware assets, and at the same time, increase the resale value of these assets. Using the system, an IT manager is able to identify a scalable number of systems for Secure Disk Wiping, Diagnostic Testing, Hardware Audit, License Recovery and Backup. These tasks are schedule driven in one embodiment, performed on multiple systems simultaneously, and minimizing the usage of network bandwidth. (In one embodiment, the system is agentless). At the same time, an IT manager can increase resale value by; restoring operating systems to hard drives once wiped, diagnostically testing systems, and capturing detailed hardware information all of which can be supplied to potential buyers or new users of repurposed/refurbished components.

This application claims priority to U.S. Provisional Patent ApplicationSer. No. 60/883,916, entitled “IT Asset Management System,” and filed onJan. 8, 2007, and is incorporated herein in its entirety by reference.

BACKGROUND OF THE SYSTEM

Computer networks are comprised of a large number of individualcomponents, including monitors, computers, keyboards, softwareapplications, disk drives, docking stations, and the like. During thelife of a computer network, many of these components may be replaced ina gradual manner, or there may be an upgrade where all or nearly all ofone or more components will take place in a relatively short time. Thisis sometimes referred to as an “end-of-life” event for the componentsbeing replaced.

There has grown to be a market for refurbished and repurposed computercomponents that are retired from service by one user and made availableto new users after appropriate management of the asset. Often this assetmanagement requires extensive personal involvement of personnel inrepurposing the computer components. Some of the tasks include removingdata, restoring or upgrading operating systems, testing, cleaning,repairing, and, other tasks that can be time consuming.

One problem with current approaches for repurposing computer assets isthe use of third parties for the project, leading to the possibility ofsensitive and confidential data being exposed.

BRIEF SUMMARY OF THE SYSTEM

The system provides a method to automate the complex processes thatoccur at the end-of-life of IT hardware assets, and at the same time,increase the resale value of these assets.

Using the system, an IT manager is able to identify a scalable number ofsystems for Secure Disk Wiping, Diagnostic Testing, Hardware Audit,License Recovery and Backup. These tasks are schedule driven in oneembodiment, performed on multiple systems simultaneously, and minimizingthe usage of network bandwidth. Keeping these end-of-life processesin-house, an IT manager can ensure that there is no leakage of sensitivecorporate data of any type and particularly data that is regulated underHIPAA and Sarbanes-Oxley. At the same time, an IT manager can increaseresale value by; restoring operating systems to hard drives once wiped,diagnostically testing systems, and capturing detailed hardwareinformation all of which can be supplied to potential buyers or newusers of repurposed/refurbished components.

The system in one embodiment provides an enterprise-level softwaresolution that can operate on a LAN or WAN. The system can simultaneouslyerase up to 10,000 PCs at a time, with no additional user interactionrequired. The system provides for remote erasure, HDD Backup (to guardagainst accidental erasure), Operating System (OS) restoration,including capture of OS licenses, and barcode printing.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram illustrating an embodiment of the system.

FIG. 2 is a flow diagram illustrating a scan operation in an embodimentof the system.

FIG. 3 is a flow diagram illustrating an embodiment of a networkdiscovery operation of the system.

FIG. 4 is a flow diagram illustrating an embodiment of hardwarediagnostic operation of the system.

FIG. 5 is a flow diagram illustrating a hard drive backup and imagetransfer operation using the system.

FIG. 6 is a flow diagram illustrating the operation of system clean andrestore in one embodiment.

FIG. 7 is flow diagram illustrating hard drive sanitizing.

FIG. 8 is a flow diagram illustrating OS restoration in an embodiment ofthe system.

FIG. 9 is an example of network discovery detail.

FIG. 10 is an example of a sample computer system for implementing thesystem.

DETAILED DESCRIPTION OF THE SYSTEM

The system provides a method of identifying, clearing, testing, andrepurposing computer assets that may be controlled from a singlelocation. The system includes Network Discovery, Asset Disposal Options,Hardware Diagnostic Tests, Hard Drive Backup, Hard Drive Image Transfer,System Clean and Restore, Hard Drive Sanitization, license recovery, OSrestore, and Barcode Assignment. In one embodiment, the system isimplemented as controlled use software where a user has a license for aspecific number of uses. In one embodiment the software is modular andevent-driven, with separate modules for Discovery/Audit, DiagnosticTesting, Backup, Sanitizing, Operating System Restoration, whiletracking and limiting the number of systems/times each of these modulesis utilized. All portions of this software should prohibit the user fromcopying for unauthorized use.

Discovery/Audit

This module performs Network Discovery Options.

Network Discovery

The Network Discovery module is used to discover IP addresses and sortby manufacture, by OS, and other identifying characteristics. Itdiscovers all devices attached to the network, all hardware models,parts, serial numbers, OS, board level details and license keys.

During Network Discovery, system identification information (MACaddress, GUID, IP address, etc.) are set to be importable from otherasset tracking/discovery software. The level of detail to be captured inthe Discovery/Audit portion for Windows should, among other data,capture the manufacturer and model details of the installed memorymodules, network modules, video cards and disk drives. For unix/linuxsystems, the software should capture the manufacturer and model detailsof the system itself plus the installed features. For windows systems,it should capture the OS and license key for later use in the OSRestoration module. The Discovery/Audit data collected should befilterable prior to output to Excel format. (For example, designate toexport only the cpu, disk, memory and OS data, while leaving the rest ofthe data stored.)

The system may use any suitable database for storing the networkinformation that is collected at this stage. The purpose of this moduleis to collect all of the asset and component information that exists onthe network so that appropriate decisions can be made regardingrepurposing of assets.

Asset Disposal Options

This step makes decisions on redeployment, recycle, and/or resale.Redeployment may be the transfer of the asset to another user in thecompany. Recycle may be performed by appropriately environmentalmethods. All decisions at this stage require the cleaning of the systemsand redeployment and resale may require some restoration as well.

Hardware Diagnostic Tests

The Diagnostic module performs tests on hard drives (such as the IBMSMART test), performs battery tests, memory tests and manufacturersdiagnostic tests. In one embodiment the system uses WMI for batterycharge testing and Smartmontools for S.M.A.R.T testing Windows basedsystems. As an example the Sun Validation Test Suite (SunVTS) 6.2ps1 forSun Microsystems may be used when appropriate. The hardware diagnostictests are sleeted from a plurality of available tests based on theconfiguration, manufacturer, OS, ets.

Hard Drive Backup

Backup: Software should allow for backup of all systems designated forwiping, whether 10 or 10,000. These backups should be scheduled,minimize network traffic and backup to central network storage. Thebackup should confirm that it was performed correctly and allow for auser to separately verify that the backup was indeed performedcorrectly. In operation, backups are done on every asset, regardless ofthe ultimate disposition of the asset (redeployment, recycle, resale,etc.)

Hard Drive Image Transfer

This module transfers the hard drive image (e.g. system data) to anothersystem. It is also used to transfer the OS License Key to anothersystem. For example, capturing the license key, the Windows Operatingshould be able to be restored to a wiped hard drive. The original OEMinstalled operating system, OS upgrades if necessary, should bere-installed with proper license key.

System Clean and Restore

This is to restore a system to original conditions and settings asappropriate. This may involve restoring OS and license keys, nativesoftware and licenses, and testing and confirming settings.

Hard Drive Sanitization

Secure Disk Wiping: The standard for disk wiping in the beta versionshould be to DOD 50220.22-M and the user should be able to wipe up eachsystem up to 1000 times. Systems should be capable of being backed up tonetwork storage prior to wiping. In one embodiment a wipe configuratoris available where the user can choose from a plurality of wipealgorithms. Other wipe algorithms that may be used include, but are notlimited to, the following:

Air Force System Security Instructions 5020

Bruce Schneider's algorithm

BSI (German overwrite standard)

German Standard VSITR

HMG Infosec Standard No: 5 (baseline or enhanced)

Navy Staff Office Publication (NAVSOP-5239-26) for RLL

NSA (overwrite standard by National Security Agency)

OPNAVINST 5239.1A

Peter Gutmann's algorithm

The National Computer Security Centre (NCSC-TG-025.)

U. S. Department of Defense Sanitizing (DOD 5220.22-M, DD 5220.22-M ECE)

US Army AR380-19

The module may include in one embodiment an Automatic Disk OverwriteReport: This generates results for each disk overwrite that can beprinted and saved for permanent records. It makes an overwrite logavailable and prints a certificate of destruction if desired.

Bar Code Assignment

All peripherals are assigned bar codes for tracking and inventorycontrol.

Reporting

Summary Report: One report, exportable in Excel format, should begenerated that includes: selected discovered devices, the discovereddata (filtered by user), the diagnostic test results, the secure wipeconfirmation, and the operating system version and level restored to thewiped drive. Success Confirmations: A window/report after eachDiscovery/Audit, Secure Disk Wiping, Diagnostic, Backup and OSRestoration, and barcode printing should tell the user if process wasperformed correctly or failed for a particular system.

The operation of one embodiment of the system is illustrated in FIG. 1.At step 101 the asset information is acquired from the network. This maytake place during the installation of the client. At step 102appropriate diagnostics are run on the hardware and any repairs are madeand unrepairable assets are identified and removed. At step 103 the dataon asset storage devices is backed up. At step 104 licenses and keys arecollected and validated. At step 105 asset systems are cleaned andrestored with OS installations using appropriate licenses and keys.

Scan

FIG. 2 is a flow diagram illustrating a scan operation of the system. Atstep 201 the system is coupled to an organizational network. At step 202scan parameters are established. These parameters define thefunctionality and scope of the scan. It can be for the entire network orfor a subset of stations or characteristics of a network. The parameterscan set an IP address range, select a hardware manufacturer (e.g. IBM,Compaq, HP, Dell, etc.), model/part number, and operating system. Theseselections are considered to be a parameter set. A plurality ofparameter sets can be defined for different address ranges,manufacturers, models, and operating systems. At step 203 the systemscans the network pursuant to the parameters selected. These parameterscan include IP addresses, MAC addresses, Computer Name, etc. The systemcan use IP or MAC address ranges for use across the network or someother manner of identifying targeted assets. At step 204 the systemstores the scanned data in a database for further use. The data includeseach IP address, the manufacturer, model, summary description, serialnumber, licensed software and OS configuration, and other identifyinginformation.

Network Discovery

FIG. 3 is a flow diagram illustrating the network discovery phase of thesystem and is a detailed view of the operation of step 101. At step 301a client that contains the system software is coupled to a computer or anetwork of computers that are to be refurbished. At step 302 the systemis initialized and the system enters network discovery mode. At step 303the system interrogates devices on the network. This interrogationincludes, but is not limited to, hardware models, parts, serial numbers,and OS details. At step 304 the system retrieves license keys from eachstation in anticipation of subsequent software restore operations. Atstep 305 the system stores the collected data in a database for use inrecovery and refurbishing operations. At step 306 the system may preparean optional report of the discovery in a suitable format (e.g. Excel)that can communicate relevant information to the owner or a potentialbuyer of refurbished assets. FIG. 9 illustrates some of the reportinformation:

Hardware Diagnostic Tests

FIG. 4 is a flow diagram illustrating hardware diagnostic testingoperations in an embodiment of the system. At step 401 the systeminitializes the hardware testing operation. At step 402 the userdetermines the parameters of the diagnostic tests. At step 403 thesystem begins testing pursuant to the parameters. Testing can includeS.M.A.R.T. (Self-Monitoring Analysis and Reporting Technology) testingof hard drives and battery tests for laptops. At step 404 the systemlogs and stores test results, notifying of any out of range results.

Hard Drive Backup and Image Transfer

FIG. 5 is a flow diagram illustrating a hard drive backup and imagetransfer operation using the system. At step 501 the system initializes.At step 502, using the network discovery information and hardwarediagnostic test results, the user determines target drives for backup(it may be all drives or some subset of drives). At step 503 the systemperforms a full or partial backup (depending on the chosen parameters)to network storage. If desired, at step 504, the system can transfer adrive image to another system or drive.

System Clean and Restore

The system provides automatic erasure and/or OS restoration to anynumber of systems. FIG. 6 is a flow diagram illustrating the operationof system clean and restore in one embodiment. At step 601 the systeminitializes the clean and restore function. At step 602 the systemprovides a choice of parameters for the user to select to customize theprocess. At step 603 the system erases individual files to the desiredstandard (e.g. DOD standard). At step 604, using backup data previouslyobtained, the system restores each system to its original condition andsettings. At step 605 the system prepares a full report of the operationfor auditing purposes.

Hard Drive Sanitation

In some cases, a user wishes to merely sanitize one or more drives. Theflow diagram of FIG. 7 illustrates an example of this operation. As step701 the sanitation operation is initialized. At step 702 the userselects the drive or drives to be sanitized At step 703 the sanitationprocess is initiated The system performs sanitation of the drives overthe network pursuant to suitable standards (such as DOD standards). Thesystem allows for repeated overwrite (up to 10,000 or more times) atstep 704. At step 705 a certificate of data destruction is generated forrecords purposes.

OS Restoration

The system provides for automatic OS restoration over a network (LAN orWAN). FIG. 8 is a flow diagram of this operation. At step 801 the OSRestoration operation is initialized. At step 802 the user selectsdesired parameters for the OS restoration. At step 803 the systemobtains the necessary OS licenses. This may be via retrieval from thedatabase in a prior operation or it may be by implementing a licenseretrieval operation during this process. At step 804 the systemsanitizes the drive (if necessary, the drive may have been sanitized ina prior operation). At step 805 the system writes the appropriate OS tothe drive with an associated license. This license may include theproduct key as well as the embedded and/or encrypted OEM hardware/OScorrelated license key that has been retrieved by the system. At step806 the system prepares a report of the operation.

Barcode Assignment

The system automatically assigns barcode values to system assets andperipherals for tracking purposes, as desired.

Embodiment of Computer Execution Environment (Hardware)

An embodiment of the invention can be implemented as computer softwarein the form of computer readable program code executed in a generalpurpose computing environment such as environment 1000 illustrated inFIG. 10, or in the form of bytecode class files executable within aJava™ run time environment running in such an environment, or in theform of bytecodes running on a processor (or devices enabled to processbytecodes) existing in a distributed environment (e.g., one or moreprocessors on a network). A keyboard 1010 and mouse 1011 are coupled toa system bus 1018. The keyboard and mouse are for introducing user inputto the computer system and communicating that user input to centralprocessing unit (CPU 1013. Other suitable input devices may be used inaddition to, or in place of, the mouse 1011 and keyboard 1010. I/O(input/output) unit 1019 coupled to bi-directional system bus 1018represents such I/O elements as a printer, A/V (audio/video) I/O, etc.

Computer 1001 may include a communication interface 1020 coupled to bus1018. Communication interface 1020 provides a two-way data communicationcoupling via a network link 1021 to a local network 1022. For example,if communication interface 1020 is an integrated services digitalnetwork (ISDN) card or a modem, communication interface 1020 provides adata communication connection to the corresponding type of telephoneline, which comprises part of network link 1021. If communicationinterface 1020 is a local area network (LAN) card, communicationinterface 1020 provides a data communication connection via network link1021 to a compatible LAN. Wireless links are also possible. In any suchimplementation, communication interface 1020 sends and receiveselectrical, electromagnetic or optical signals which carry digital datastreams representing various types of information.

Network link 1021 typically provides data communication through one ormore networks to other data devices. For example, network link 1021 mayprovide a connection through local network 1022 to local server computer1023 or to data equipment operated by ISP 1024. ISP 1024 in turnprovides data communication services through the world wide packet datacommunication network now commonly referred to as the “Internet” 1025.Local network 1022 and Internet 1025 both use electrical,electromagnetic or optical signals which carry digital data streams. Thesignals through the various networks and the signals on network link1021 and through communication interface 1020, which carry the digitaldata to and from computer 1000, are exemplary forms of carrier wavestransporting the information.

Processor 1013 may reside wholly on client computer 1001 or wholly onserver 1026 or processor 1013 may have its computational powerdistributed between computer 1001 and server 1026. Server 1026symbolically is represented in FIG. 10 as one unit, but server 1026 canalso be distributed between multiple “tiers”. In one embodiment, server1026 comprises a middle and back tier where application logic executesin the middle tier and persistent data is obtained in the back tier. Inthe case where processor 1013 resides wholly on server 1026, the resultsof the computations performed by processor 1013 are transmitted tocomputer 1001 via Internet 1025, Internet Service Provider (ISP) 1024,local network 1022 and communication interface 1020. In this way,computer 1001 is able to display the results of the computation to auser in the form of output.

Computer 1001 includes a video memory 1014, main memory 1015 and massstorage 1012, all coupled to bi-directional system bus 1018 along withkeyboard 1010, mouse 1011 and processor 1013.

As with processor 1013, in various computing environments, main memory1015 and mass storage 1012, can reside wholly on server 1026 or computer1001, or they may be distributed between the two. Examples of systemswhere processor 1013, main memory 1015, and mass storage 1012 aredistributed between computer 1001 and server 1026 include thethin-client computing architecture developed by Sun Microsystems, Inc.,the palm pilot computing device and other personal digital assistants,Internet ready cellular phones and other Internet computing devices, andin platform independent computing environments, such as those whichutilize the Java technologies also developed by Sun Microsystems, Inc.

The mass storage 1012 may include both fixed and removable media, suchas magnetic, optical or magnetic optical storage systems or any otheravailable mass storage technology. Bus 1018 may contain, for example,thirty-two address lines for addressing video memory 1014 or main memory1015. The system bus 1018 also includes, for example, a 32-bit data busfor transferring data between and among the components, such asprocessor 1013, main memory 1015, video memory 1014 and mass storage1012. Alternatively, multiplex data/address lines may be used instead ofseparate data and address lines.

In one embodiment of the invention, the processor 1013 is amicroprocessor such as manufactured by Intel, AMD, Sun, etc. However,any other suitable microprocessor or microcomputer may be utilized.Main, memory 1015 is comprised of dynamic random access memory (DRAM).Video memory 1014 is a dual-ported video random access memory. One portof the video memory 1014 is coupled to video amplifier 1016. The videoamplifier 1016 is used to drive the cathode ray tube (CRT) rastermonitor 1017. Video amplifier 1016 is well known in the art and may beimplemented by any suitable apparatus. This circuitry converts pixeldata stored in video memory 1014 to a raster signal suitable for use bymonitor 1017. Monitor 1017 is a type of monitor suitable for displayinggraphic images.

Computer 1001 can send messages and receive data, including programcode, through the network(s), network link 1021, and communicationinterface 1020. In the Internet example, remote server computer 1026might transmit a requested code for an application program throughInternet 1025, ISP 1024, local network 1022 and communication interface1020. The received code maybe executed by processor 1013 as it isreceived, and/or stored in mass storage 1012, or other non-volatilestorage for later execution. In this manner, computer 1000 may obtainapplication code in the form of a carrier wave. Alternatively, remoteserver computer 1026 may execute applications using processor 1013, andutilize mass storage 1012, and/or video memory 1015. The results of theexecution at server 1026 are then transmitted through Internet 1025, ISP1024, local network 1022 and communication interface 1020. In thisexample, computer 1001 performs only input and output functions.

Application code may be embodied in any form of computer programproduct. A computer program product comprises a medium configured tostore or transport computer readable code, or in which computer readablecode may be embedded. Some examples of computer program products areCD-ROM disks, ROM cards, floppy disks, magnetic tapes, computer harddrives, servers on a network, and carrier waves.

The computer systems described above are for purposes of example only.An embodiment of the invention may be implemented in any type ofcomputer system or programming or processing environment.

What is claimed is:
 1. A method for automatically managing computerassets comprising: discovering presence and identification informationof computer assets on a network; performing diagnostic tests on thediscovered assets; backing up the data of the discovered assets;restoring OS and software with licenses on selected assets; sanitizingdata storage on non-selected assets.
 2. The method of claim 1 whereinthe network is a LAN.
 3. The method of claim 1 wherein the network is aWAN.
 4. The method of claim 1 wherein performing diagnostic tests onsaid assets is accomplished by defining assets to be tested,establishing parameters of the diagnostic tests, and performing thediagnostic tests pursuant to the parameters.
 5. The method of claim 1wherein backing up the assets is accomplished by defining assets to bebacked up and performing the backup of those assets.
 6. The method ofclaim 1 wherein restoration of OS is accomplished by retrieving alicense key for each asset to be restored, sanitizing each asset, andrestoring the OS to each asset using the license key of each asset. 7.The method of claim 1 wherein performing sanitizing is accomplished byselecting assets to be sanitized, erasing the assets, overwriting theassets as desired, and preparing a certificate of data destruction foreach asset.
 8. The method of claim 7 wherein sanitization is performedpursuant to DOD standards.